Bill Strives to Protect Privacy

Share

Bill Strives to Protect Privacy

A bipartisan group of senators introduced comprehensive identity-theft legislation Thursday that throws some of the burden for preventing the increasingly common crime onto businesses and other organizations that collect personal information. The new legislation also would give consumers more control over their personal data.

The Identity Theft Protection Act, introduced in the Senate commerce committee by a bipartisan coalition, addresses problems with recent high-profile data breaches by requiring entities that collect sensitive information, such as Social Security numbers, to secure the data physically and technologically and to notify consumers nationwide when data is compromised.

The bill also allows consumers to freeze their credit reports to help prevent unauthorized parties from accessing private data or opening new credit accounts in an individual's name without their permission.

A spokeswoman for Consumers Union, the nonprofit organization that publishes Consumer Reports, said the bill was a good start but still needed work to protect consumers.

"We're not at the point where we're endorsing the bill," said Susanna Montezemolo, policy analyst for the consumer group. "We have some amendments that would make it stronger."

The legislation was introduced by Sens. Bill Nelson (D-Florida) and Gordon Smith (R-Oregon) and is co-sponsored by a total of four senators, from both parties, including the chair and co-chair of the commerce committee.

"The bill's bipartisan support signals that Congress is poised to act on first-ever regulations for data brokers and other companies that handle consumers' most private information," Nelson said in a statement. "If we don't do something, and do it now, none of us will have any privacy left."

The bill is not the first ID-theft legislation introduced in the wake of recent data breaches. Another bill introduced in the Senate judiciary committee about two weeks ago addresses some of the same issues in a comprehensive way, and several other bills address individual issues, such as notification to consumers. The commerce bill, however, is likely to go the distance because it has bipartisan support and was introduced in the committee that oversees the Federal Trade Commission, which is responsible for monitoring the activities of credit-reporting agencies as well as enforcing fraud legislation and tracking ID theft. The commerce bill could be amended to include wording from other ID-theft bills when it goes to markup next Thursday.

The law offers some restrictions on the use of Social Security numbers, something that consumer advocates and privacy groups have been requesting for a while.

Businesses would be prohibited from requesting Social Security numbers unless no other type of identification would be suitable. They also would be prohibited from using Social Security numbers for identification purposes on documents such as student ID cards. The law also would prohibit federal, state and judicial agencies from contracting with prison-work programs to do any labor that would give prisoners access to Social Security numbers.

The bill's requirements for protecting data and notifying consumers of a breach would cover credit agencies, data brokers, schools and any other entity that collects driver's license information, birthdates, financial data or other information that could be used by ID thieves. It would also cover third-party businesses that purchase sensitive information from any of these entities.

Presumably, one of the technological measures for protecting data would be encryption, although lawmakers have left it to the FTC to determine the specific measures. The FTC would be required to establish an information working group composed of industry representatives, consumer groups and others to weigh in on solutions for protecting data and notifying consumers of breaches.

If sensitive data is breached, the law would require the holder of the information to notify consumers if there is a reasonable risk the information could be used for ID theft and to notify the FTC if the breach involves information belonging to more than 1,000 individuals. Failure to notify consumers or the FTC could result in fines of up to $11,000 for every consumer affected by the breach, with a cap of $11 million.

This part of the proposed bill expands on a California law that was the first in the country to require businesses to notify consumers when their data was breached. The California law, which has been copied in other states, was credited with bringing to light the issue of data breaches that previously had remained unpublicized and unknown to consumers.

Montezemolo said her group had concerns about leaving it up to businesses and other organizations to decide when a breach of data constitutes a "reasonable risk" to consumers, since they have an economic incentive not to notify the consumers and bring attention to a breach.

Consumers Union prefers wording in a different ID-theft bill that would require companies by default to notify consumers of a breach unless they could show that there was no need to.

"We think ... a more consumer-friendly approach (is to require) organizations to notify consumers unless they can show, in consultation with law enforcement, that there's only a very slight risk to consumers," Montezemolo said.

With regard to credit-report freezes, the bill would require one consumer-reporting agency to notify all other reporting agencies when it receives a freeze request from a consumer, relieving consumers of that burden. Agencies would have five days to apply the freeze and three days to lift a freeze once a consumer provided proper identification. The bill allows reporting agencies to charge "a reasonable fee" for the service, but only for people who have not been victims of identity theft. The latter would get a freeze for free after providing a police report documenting the theft.

Montezemolo said that five days to implement a freeze was too generous – especially since a lot of damage could be done in that time. She also wanted credit-reporting agencies to make it easier for consumers to unfreeze data, rather than having to wait three days.

One thing the freeze doesn't do is prevent creditors from issuing pre-approved instant credit applications in the mail, which makes it easy for identity thieves who rummage through mail or garbage to find the applications and open credit accounts in a victim's name. The bill provides a special exception to the freeze to allow creditors to access credit reports to prescreen applicants.

A Senate source told Wired News that federal lawmakers adopted the exception for prescreening from a similar clause in the California legislation.

"That's a state statute that tried to balance the consumer-protection issues and the concerns of businesses to be able to market (to consumers)," the source said.

"Our members do appreciate and understand that obviously prescreening is a concern," he said, noting that the issue will be up for debate when the bill is discussed next week.